Bin2llvm

Abstract

The analysis of programs is an important and well researched topic in information security, specifically for finding bugs in binary programs or analyzing malicious software. Many commonly used techniques rely on dynamic analysis by running samples and monitoring their behavior or are based on the cumbersome and time consuming inspection of plain assembly code.In this paper we present a novel approach for static analysis we are using in bin2llvm, a work-in-progress analysis framework, in order to find and identify cryptographic routines in binary programs. Our approach does not need to run the target of analysis in any way and is based on decompilation of binaries to an intermediate language similar to assembly code, the LLVM Intermediate Representation (IR), by using the open source decompiler Dagger. After decompilation we are able to apply various analysis techniques to the resulting code. These methods can be easily implemented and extended as optimization passes for the LLVM optimizer and can therefore benefit from its extensive API. Although we discovered certain drawbacks and issues with this approach, our results and proof of concept show that IR code is a very suitable target for analyses and it is well worth driving research further into this topic.